GAO has identified weaknesses in all major categories of information security controls at federal agencies ... Specifically, agencies did not consistently authenticate users to prevent unauthorized access to systems; apply encryption to protect sensitive data; and log, audit, and monitor security-relevant events, among other actions.